In general, in line with the recent rapid development and spread of the Internet, the value of information properties is increasing more and more, and various attempts have been made to protect the value of information properties. From a technical point of view, technologies for diagnosing or eliminating vulnerability to various threats such as hacking, viruses, worms, Trojans, phishing, pharming, or the like have been developing.
Phishing attacks refer to using spoofed emails and fraudulent websites designed to fool recipients into entering and transmitting personal information or financial information such as credit card number, account names and passwords, social security numbers, etc. Pharming attacks refer to a technique that fools a PC user into connecting to an internet protocol (IP) address designated by an attacker and divulging important information even when the user correctly enters a domain name address of website to be connected by exploiting hosts files referred to when performing a query from a PC to a domain name system (DNS) server and illegally modifying them.
In other words, a phishing attack is to put a link in emails that appear to be sent by websites of financial institutions, and steal personal authorization number, credit card number, account information or the like, while a pharming attack is a type of Internet fraud that occurs when a hijacker hijacks a legitimately owned website or fake domain name addresses to lure users to mistake fake sites as actual sites. The official domain of a website itself is hijacked in the middle of a transmission, and users believe without any suspicion that a fake site is the site they always use, and thus expose their personal ID, password, account information, and the like.
Moreover, the pharming attack increases the possibility of fooling a user more easily than the phishing attack because it directly or indirectly modifies the address of a DNS or proxy server. Methods for pharming attacks include modifying a DNS address, modifying a client hosts file, modifying an address established to a client's DNS server, modifying registered domain information, and using a proxy server.
In other words, the pharming attack infects a user terminal device with a malicious code or the like to change a hosts file in a user terminal device into that of a fake web server or information on a DNS server into that of a fake DNS server. Thereafter, if the user connects to a specific web server, the user uses the hosts file in the user terminal device or the fake DNS server in order to get the IP address of the web server. However, since the hosts file or DNS information has already been changed by infection with the malicious code, the user terminal device designates a web server with a fake IP address. As a result, the connection is made to the fake web server, and the user mistakes the fake site as a normal site and reveals his/her personal information.
In this way, pharming attacks are based on changing addresses to easily lure users to make connections without any suspicion, and generally take the form of ‘modifying DNS information’. A DNS has the function of translating a frequently used domain name address, which is usually entered, into an IP address to connect to a site, or vise versa. The reason why this function is required is to use a domain name address to easily remember a desired site for visiting the site because it is not possible to remember all IP addresses enabling actual communication on a network.
But then, as mentioned above, while phishing attacks entice users to fake phishing sites by using similar domain name addresses, redirection via normal sites, and sophisticated fake pages or the like, the users themselves can recognize the phishing sites if they check them carefully. However, if DNS information is changed as is done in pharming attacks, this makes it more difficult for the users to recognize phishing sites and increases the possibility of luring the users to mistake these sites as actual sites, rather than fake sites. For this reason, large-scale damages due to pharming attacks can be expected to happen in some cases.
Further, although a technology for countering pharming attacks is employed, which requires user confirmation when setting a hosts file or DNS information or sets the hosts file or DNS information to be not changeable, it is difficult to determine whether any change in the hosts file or DNS information is a change due to a malicious code or a change made by the user. Thus, it is difficult to detect and counter pharming attacks in real situations.
Particularly, in case where information in the hosts file for update is modified due to a malicious code caused by a pharming attack, a new update cannot be performed and therefore information loss resulting from the pharming attack cannot be avoided.